((((( Financial Cryptography Update: Why passports will have RFIDs )))))
February 01, 2006
------------------------------------------------------------------------
https://www.financialcryptography.com/mt/archives/000643.html
------------------------------------------------------------------------
The Register revealed the scandalous behaviour of the Dutch promiscuous
passports.
http://www.theregister.co.uk/2006/01/30/dutch_biometric_passport_crack/
Quickest description is on EC:
http://www.emergentchaos.com/archives/002355.html
==========8<================
The secret key is made up of the passport expiry date, birth date and
the passport number stored in the passport's Machine Readable Zone. The
Dutch passport numbering scheme proves to be sequential and has a
relation with the passport expiry date. Further, the last digit of the
number is a checksum introducing additional predictability. The
selection of a new and unpredictable passport numbering scheme would
considerably improve the security.
=================>8=========
http://wiki.whatthehack.org/index.php/Attacks_on_Digital_Passports
Oops. History does not reveal how it is that the Dutch - normally a
country steeped in deep privacy and cryptography that they run things
like WhatTheHack where it was first announced - managed to make such a
blunder.
One quibble. Adam goes on to say "The radio has no function." I think
that's a bit tough to sustain. The point of using RFIDs and so forth
comes from long hard-won experience. The experience pans out roughly
like this:
<ul><li>smartcard people wanted to do money</li>
<li>smartcards are too expensive for money</li>
<li>only mass transits had the wherewithall to finance smartcards as
money</li>
<li>mass transits also have mass queues</li>
<li>only very fast systems work in mass transits</li>
<li>contactless smarts are the only ones that are fast</li>
<li>smartcard money therefore had to be RFID.</li>
<li>people thinking smartcards therefore think RFID</li></ul>
>From there, the decision to add smart cards to passports means they
more or less had to include RFIDs. All experience points in that
direction, and experience is everything in the smart card world (mostly
because there is so little of it).
So the question then reduces to ... how applicable is mass transit
experience to the passport issue? This might be considered to be the
LAX factor - the answer is "quite a lot" if you've ever been stuck in a
queue at a major US airport carefully calculating the time to the gate
close on your connection.
Which does nothing to answer the next question: does the LAX factor -
the benefit of radio-enhanced fast entry - outweigh the downsides?
That seems to be the experiment that the various passport offices are
intending to run on their captive subjects, so we will know for sure in
about 10 years.
--
Powered by Movable Type
Version 2.64
http://www.movabletype.org/